Guys, if you’re anything like me then you’ve been counting down the days, been kept awake with excitement thinking of what to wear and how hard you’ll party for what seems like forever. Yes, that’s right folks, on May 25th of this year our beloved GDPR turns 1 year old! *dries eyes* - they grow up so fast.
We all know that GDPR has been a resounding success but we also know that, like all 1 year olds, there's been some teething problems. So let’s take a look back through our photo album of the past year and see how our little trooper has fared over its first year.
Let’s start with the reason GDPR is in our lives - data breaches. How’s it been doing with those? Well, this is probably the most successful part of GDPR’s short life. Prior to GDPR, there was no single breach notification regulation for the EU. Instead, it was compiled of lots of different interpretations of the 1995 Data Protection Directive (which GDPR replaced) meaning it was a kind of Wild West of data and sensitive information. Then GDPR came sauntering in to bring law and order to a lawless wasteland and created a unified framework for all breach notifications.
A data breach is when personal data for which a company is responsible is accidentally or unlawfully disclosed. If this happens, under GDPR, companies are obliged to report the data breach to their national DPA within 72 hours. The number of these reported in the last year is a whopping 41,502. Crikey! Looks like GDPR is really whipping people into shape!
To add to that, there has been an eye-watering 95,180 complaints made since the introduction of GDPR - a complaint being from those who believe that their rights under GDPR had been violated. The most common types of complaints (no surprises) were concerning telemarketing and promotional emails.
So what’s been happening as a result of these complaints and breaches then? Well, this is where our golden child’s report card slips from an “A+” to a “B - could be better, gets distracted easily” because although the number of breaches reported has been incredible, the total penalties imposed under the statute added up to €55,955,871. Which sounds really impressive until you remember that a single €50 million fine levied against Google in January accounts for nearly 90% of that sum. The vast majority of companies are still not being penalised at all for data breaches or are being fined so insignificantly that frankly, my dear, they don't give a damn.
So as we dry our eyes and close the photo album of the first year of GDPR’s existence, we can let out a big sigh and know that GDPR is the little regulation that is doing its best and making us all proud as punch. Now let’s all join together in singing a big ol’ Happy Birthday - and don’t worry, I received consent from all present, purchased the rights to the song and accepted cookies on all our behalves so no chance of the feds swooping in mid-song.
Nearly 5 months since the General data Protection Regulation (GDPR) was introduced across all of the European Union, complaints around Data Protection have nearly doubled in the UK according to the Information Commissioner’s Office (ICO)
GDPR was designed to give Data Subjects more control over their personal data, with more transparency and the threat of larger fines to those in breach of the new rules. The GDPR requires any company that suffers a data breach to notify its users/data subjects within 72 hours of the breach being discovered.
• Data protection complaints to the UK’s ICO rose to 4214 in July compared to just 2310 complaints received in May before the GDPR came into force. A spokes person for the ICO said the increase was expected, as more users became aware of data protection because of publicity around the new rules and following a series of high-profile data scandals involving some well-known household names, like Morrison’s and Dixons Carphone.
• In July the ICO reported that since May 25th, it had seen a four-fold increase in the number of breaches that organizations were self-reporting.
Experts note, however that the increase’s do not mean that the number of data breaches has suddenly gone up, but rather reflects the full scale of the data breach problem becoming better known.
Organisations that fail to comply with GDPR can face fines of up to 4% of annual global revenue or €20 million, whichever is greater. So far none of the EU’s Data Protection Agency’s have levied any fines. Multiple DPA’s told the International Association of Privacy Professionals Advisor Newsletter that it is simply too soon.
We will be hosting a free online webinar on ‘GDPR 5 Months On’ on Tuesday October 16th at 11am, where we will look at the implications of GDPR on payroll processing and how employer’s can be demonstrate compliance by following a few, simple steps.
To register for this webinar please click here.
Businesses must provide their employees with information on what happens to their data, for example sharing employee’s personal data with a payroll bureau who processes the payroll. Employee personal data can be stored and managed by a payroll bureau, bookkeeper or accountant for the sole benefit of correctly paying their wages, paying the correct tax and providing a payslip. All of this legitimately falls under the remit of the GDPR legislation.
Many bureaus have expressed concern and confusion in relation to getting consent from client’s employees and securely distributing payslips. Payroll bureaus do not need to seek consent from individual employees that the payroll is processed for. However, the employer will need to inform their employees that they are sharing their personal information with a third party.
An employee cannot withdraw their consent for their personal data to be used as part of the payroll processing. It should be noted that bureaus should keep only the personal data that is strictly required for the purpose of the payroll. This is referred to as data minimisation or privacy by default.
BrightPay is running a free webinar to help you with what you need to know about GDPR. The webinar takes place on 3rd July at 11.00 am and is free to attend for payroll bureaus and employers.
This webinar will look at the biggest areas of concern including emailing payslips, employee consent and your legal obligation. We will also look at some important steps to achieve GDPR compliance.
Click here to book your place now.
Is the emailing of payslips permissible under GDPR?
There is nothing in the GDPR that states it is no longer permissible to email payslips, this practice is still very much acceptable. The thing to keep in mind in relation to emailing payslips is to ensure that all appropriate security measures are in place. The payslips that are emailed from BrightPay are encrypted and deleted from our servers once sent, however it may also be prudent of a processor of the payroll to password protect the payslips also. It will be the responsibility of the Data controllers (employers) to be vigilant that correct email addresses are inputted.
Can I still use my hard-earned mailing lists after May 25th?
Not automatically - the GDPR states that to be able to ‘Lawfully Process’ personal data you must be able to fall into at least 1 of the 6 processing classifications, the first one being Consent. Consent must be:
• Specific, informed, unambiguous, and freely given – there must be evidence that clear affirmative action has been given.
• Must be for a specified purpose
• Where consent is obtained as part of a larger document covering other things, consent text must be clearly distinguished from everything else
• Evidence needs to be retained as to how the consent was obtained. For example; forms, brochures signage, website screenshots.
• Language must be accessible and easily understood.
• Have a clear and seamless opt-Out process in place.
If you have mailing lists that you’ve used pre GDPR you will not be able to continue using them if you haven’t got specific approval or consent from the individuals.
Do we need to ask for consent from our employees to process their data?
No, as the reliance for processing and retaining their data will be down to lawful processing because of the employer’s legal obligation to deduct taxes etc. and also down to the contractual agreement in place to pay them and pay forward the taxes owed on their behalf. And also to the nature of the relationship between the employer and the employee, the status quo is in the employer’s favour so consent would not be unambiguous or freely given.
More information can be found in the GDPR section of our online support documentation on our website - Bright Contracts UK - GDPR
From May 2018, we will not be able to email you about webinar events, special offers, legislation changes, other group products and payroll related news without you subscribing to our newsletter. This is due to the GDPR legislation. You will be able to unsubscribe at anytime. Don’t miss out - sign up to our newsletter today!
The release includes exciting new features to make your payroll and auto enrolment journey easier and less time consuming including:
After purchasing BrightPay Connect, you will need to activate your licence key code. If the licence is not activated, your payroll data will not backup automatically. Employees will not be able to access their payslips or request leave on the self-service portal. Activate your licence key code now to start availing of the many cloud benefits. Haven’t tried BrightPay Connect yet?
BrightPay are delighted to announce that we are the first payroll software on the market to offer direct integration with Aviva. An API is a fully integrated tool that directly links both the payroll and pension provider together. This integration allows customers to submit their pension data file to the Aviva online portal from within BrightPay.
As busy employers it can be difficult to keep up-to-date with the constant changes in employment law. In this webinar our employment law experts discuss what is new in employment law, recent employment law cases and have a look at the most frequently asked questions that come through our support line.
Register for free webinar | Bright Contracts
In this guide, we will specifically look at the impact of GDPR on your payroll processing and address the biggest areas of concern. We will walk you through some important steps to achieve GDPR compliance.
Your clients will need to be ready to implement the increased minimum contribution rates for auto enrolment from April 2018 and April 2019. Our guide and free webinar look at what you must know about processing the increases in contribution rates in 2018 (and clients should thank you for it).
Under the GDPR legislation, where possible the controller should be able to offer self-service remote access to a secure system which would provide the individual with direct access to his or her personal data. BrightPay Connect is a self-service option which will give your payroll clients and their employees online remote access to view payslips and other payroll documents 24/7.